Category Archives: ISO 9001

9001:2015, ISO 9001, Training

First Things First: Implementing 9001

2 Comments

Sky is the LimitAre you in the midst of implementing 9001? Are we ever not in the midst of it?

I’d like to begin a series of posts on implementing 9001 – or any management system, from scratch. It will be focused on 9001, based on the draft of the next version of it in fact, but it should be well applicable to any management system; quality, environmental or information security – pick your flavor.

Where should one begin? Document control? Internal audits? The bones of a nice corrective action system? So many choices…

I audit these systems on a daily basis, I finding the folly alongside the fabulous. I’ll do what I can to make it a worthwhile read.

If you’re a current implementor, please – let us know any challenges you are having.

I should probably make apologies to Stephen Covey for using his book title (but it does provide me an opportunity to plug a very good resource – click it!).

Auditing, ISO, ISO 9001

OSHA within 9001 – how to find it

Leave a comment
it's really coffee, but there's still OSHA within 9001.
it’s really coffee

During a recent audit, it happened that a lapse within an organization’s OSHA compliance was observed. When I say “observed”, I don’t mean to imply it was an observation – it became a non-conformance.

This is a particularly good company, by the way – they do better than most with much of their process. But I’m here with the requirements of ISO 9001 in one hand, and the snapshot of what is happening in their company at that moment in the other.

OSHA does a fair amount of enforcement themselves – they audit companies too. So, where does the management system auditor come in?

And quickly, particularly for those of you in other countries, OSHA is short for “Occupational Safety & Health Administration”. The meat of their mission is to assure safe working conditions by setting and enforcing standards.

An OSHA finding by an ISO 9001 Auditor??

And that’s the question. It often takes the client by surprise when I spring the HazCom card on them, and nobody likes surprises – particularly not I.  It isn’t good for business – and it isn’t nice.

“How can you write me up for OSHA in 9001? This isn’t 18001! I just had my OSHA guy in last week and he found nothing.”

It’s an emotional activity sometimes; this business of poking holes in someone else’s presumably good pie. We all take pride in what we do.

Two Hooks

First, what’s the requirement? How exactly do you find the OHSA in 9001? That’s a two-parter; one is the OSHA regulation and the other is the ISO clause that hooks into it.

OSHA CFR

OSHA has its Code of Federal Regulation and it is, in a word, beastly. It is divided into 50 titles that represent broad areas subject to federal regulation. It is close to 180,000 pages, including a  1,000-plus page index. For comparison, all the books in Game of Thrones total just over 4200 pages – though I think more people die in Game of Thrones.

The OSHA citation is 29 CFR 1910.1200(f).

Except for some exceptions that will rarely apply, it parses to:

“…the employer shall ensure that each container of hazardous chemicals in the workplace is labeled, tagged or marked with the following information:

(i) Identity of the hazardous chemical(s) contained therein; and,

(ii) Appropriate hazard warnings, or alternatively, words, pictures, symbols, or combination thereof, which provide at least general information regarding the hazards of the chemicals, and which, in conjunction with the other information immediately available to employees under the hazard communication program, will provide employees with the specific information regarding the physical and health hazards of the hazardous chemical…”

Secondary Containers

The real issue is usually around “secondary containers”. These are not the containers that a chemical comes in – those are often correctly labeled from the manufacturer – it is the container that is used either to transport the chemical to the point of use, or the container it is temporarily stored in, or refilled into, that wasn’t originally used to store the chemical.

What kinds of chemicals are we talking about? Well, everything from water to cleaning agents to MEK (methyl ethyl ketone – unpleasant stuff). In most facilities I find various oils, alcohols of all kinds, acetone occasionally, solder flux, coolants.

Usually the more dangerous items have been taken care of – though lack of diligence or awareness in one area, can bleed into others.

Globally Harmonized System (GHS)

Because it was recently implemented as a change to how chemicals are labeled, I will cover it here. When OSHA adopted the Globally Harmonized System (GHS) in 2012, it wasn’t immediately clear how changes to labeling rules would affect the workplace.

The latest guidance from OSHA shows that the general requirements for workplace labeling have not changed. When it comes to secondary container labeling, OSHA said organizations can proceed as usual as long as they are adequately informing employees about hazardous chemicals.

OSHA said this in a recent briefing.

“If an employer has an in-plant or workplace system of labeling that meets the requirements of HazCom 1994, the employer may continue to use this system in the workplace as long as this system, in conjunction with other information immediately available to the employees, provides the employees with the information on all of the health and physical hazards of the hazardous chemical,”

Clarence is a Secondary Container for cat food. There's OSHA within 9001, but not in Clarence.
Clarence is a Secondary Container for cat food.

What Labeling is Acceptable?

According to OSHA, as long as employees have immediate access to all information about the hazards of the chemical, and as long as secondary container labels do not conflict or confuse GHS pictograms or signal words, employers can use a workplace labeling system that includes any of the following labeling methods:

  • Signs
  • Placards
  • Process sheets
  • Batch tickets
  • Operating procedures
  • Other written materials to identify hazardous materials

The generally accepted approach to this is the HazCom label, but some combination of the above works as well. Let the resident expert tell you what they do to satisfy the regulation – if there is one (there should be).

The placard option is one I’ve seen that works well in many organizations. Essentially a largish laminated HazCom label hung in the area where the containers would be found, possibly also attached to a work surface. This is going to be more effective when the chemicals are of low risk (oils, for example).

This is really up to the company to define, but it has to be established – and that brings us to the 9001:2008 requirement.

The OSHA within 9001

OSHA requirements fall into the category of “statutory and regulatory requirements” which are referenced in several places – feel free to skip to “The Best Place…” below, for my take on it.:

1.1 General

This International Standard specifies requirements for a quality management system where an organization a) needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.

1.2 Application

… Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect the organization’s ability, or responsibility, to provide product that meets customer and applicable statutory and regulatory requirements. 

Translation: You can’t exclude yourself from an OSHA Requirement in your Scope of Registration on your Certificate.

5.1 Management commitment

Top management shall provide evidence of its commitment to the development and implementation of the quality management system and continually improving its effectiveness by

  1. a) communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements…

7.2.1 Determination of requirements related to the product

The organization shall determine … c) statutory and regulatory requirements applicable to the product…

7.3.2 Design and development inputs

Inputs relating to product requirements shall be determined and records maintained (see 4.2.4). These inputs shall include … b) applicable statutory and regulatory requirements…

The Best Place (ymmv) to find OSHA within 9001

For myself, the “go to” clause to find OSHA within 9001 is the one in 5.1, specifically the “communicating to the organization the importance of meeting customer as well as statutory and regulatory requirement”. And that is a responsibility of management.

The salient point being that if the requirement were effectively communicated, then it would not be an issue. By placing it there I believe it addresses the likely root cause and can help an organization solve the entire problem; helping them look at all of their applicable statutory and legal requirements and how those are implemented in the workplace.

One of the other clauses above may in some cases work better, particularly the one with regard to design input, but frankly, this pre-supposes a familiarity with the product that an auditor can’t be expected to have.

The Last Word(s)

The OSHA requirements, the common ones and some of the not-so-common ones, have almost certainly been seen in many different organizations, particularly by an auditor with some seasoning.

HazCom as described above is the most common place to find OSHA within 9001. Occasionally there is also forklift or Powered Industrial Truck (PIT) safety. The regulation for that is fairly complicated as well. I may cover that in another post but basically, there is a law that all PIT’s be given a safety inspection every day, and before each shift. Typically this means forklifts, but there are other hand-carts that are powered that fall into this category.

This often is done in a company, but no records are kept of it because the OSHA requirement for record keeping is less clear. For 9001, since the action stems from a specified requirement – there needs to be a record of it.

The auditor is cautioned, however, not to “second guess” any local authority on the subject. You are being paid for your management system auditing expertise, not your OSHA compliance acumen. If they have a system in place; someone with the proper credentials (see the requirements in 6.2) then hear them out – you may learn something.

Thanks for your attention.

And now a word from our sponsor:

18001, 9001:2015, ISO 14001, ISO 27001, ISO 9001, Training

Training Effectiveness Guide

Leave a comment

An Apple a DayVerification of training effectiveness is required by most of the frequently used management system standards. Even companies with well-established training programs struggle with how to evaluate and moreover, how to realize value from their efforts.

Naturally, I see many methods of verification of training effectiveness in my audits – sometimes inspiring, sometimes – not so much. At the very least, it all makes me think. Without giving away anyone’s secrets, I thought I’d share my own thoughts.

The Requirement for Training Effectiveness

Verification of training effectiveness shows up in several of the popularly implemented standards; 9001:2008  (and in the DIS of the 2015 version), 13485:2003 (Medical devices), OHSAS 18001:2007 (Safety), and 27001:2013 (Information Systems).

You may note the omission of ISO 50001:2011 (Energy management) – verification of training effectiveness isn’t there, at least not directly.

And 14001:2004 (Environmental management), the current version, does not have a requirement to evaluate training effectiveness (old school), but the second draft (CD2) does have it. So, if you’re in that world – best start considering how you’re going to meet that need.

I’ll use the text from 9001 except where there’s a noteworthy difference in one of the other standards:

Competence, training and awareness
The organization shall

a) determine the necessary competence for personnel performing work affecting conformity to product requirements,

b) where applicable, provide training or take other actions to achieve the necessary competence,

c) evaluate the effectiveness of the actions taken,

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and

e) maintain appropriate records of education, training, skills and experience…

OHSAS 18001 (Safety) is particularly succinct (note how it also addresses risk):

The organization shall identify training needs associated with its OH&S risks and its OH&S management system. It shall provide training or take other action to meet these needs, evaluate the effectiveness of the training or action taken, and retain associated records.

The main point for our discussion today is that people get trained, and the effectiveness of that training must be evaluated.

Something as simple as this:

Basic Requrement

Ideally, though, if the training wasn’t effective one might question the training method. Another natural response, not unwholly unwarranted, is to assume the person being trained is at fault; that he or she just didn’t “get it”. This is, in my experience, the typical reaction –  and usually without justification.

But it need not be so. This is a larger topic, and mostly beyond the detail level of this post, but books and careers are made on the study of learning. If you’re interested in a fairly detailed work on that topic there’s How Learning Works: Seven Research-Based Principles for Smart Teaching. It’s geared more toward a university environment but it gives a fairly thorough understanding of the challenge.

For those of us juggling the job you were hired for plus the task of training, a great book choice is Design For How People Learn (Voices That Matter) by Julie Dirksen. It is certainly a practical and useful guide to the fundamental concepts of instructional design.

Failing that, simply showing someone a powerpoint or loading a VHS tape doesn’t necessarily have any chance to provide an effective learning experience for some people – even if you do make them sign a piece of paper afterwards saying their eyes were mostly open most of the time.

A better flow diagram may look like this:

Slightly more advanced training flowchart

Or, how about this? We’ve added a “lessons learned” that will modify the materials or methods for next time.

More enlightened Essentially, what I’m saying is before you train – evaluate what types of training would be suitable for both the task and the individual. Then, execute the training and make the evaluation of effectiveness. With this information in hand, go back and tweak the materials while providing any feedback to the training methodology for next time – and provide any needed retraining.

This is simply an extension of the Plan, Do, Check Act (PDCA) methodology and is at the core of these standards.

Some Specific Methods to Evaluate Training Effectiveness

Let’s look at some common ways to evaluate training effectiveness.

Testing

Tried and true, and most corporations’ go-to method of determining training effectiveness. Written tests do lend themselves well to safety-related training, or clear requirements-based content such as ITAR or even general policies with “dos and don’ts”.

Just be sure that if testing is used that there is a minimum score needed. I’ve reviewed test results and have found individuals that have received fairly close to a zero and still “pass”.

What happens in this situation is that if there is a low hurdle to jump it soon leads to corrections needed or non-conformances found in the process or product.

Typically these initial non-conformances have found the root cause to be related to training and this type of method defect is weeded out early.

Having said that, Testing is a simple solution and is likely going to be in your bag of evaluation options, if done properly.

An On-going Review of Process Metrics

Essentially, the rationale is saying, “Hey, we have trained people, we measure the important metrics and our trends are good; within limits and we are improving where possible.

It definitely can work. Naturally, the challenge is twofold; defining the meaningful metrics and measuring them in a consistent manner. Goals should be established already in response to The Standards’ other requirements.

If this method is used, be sure to clearly define how it works and have data to back it up. Remember, one of the other requirements is to maintain records to show the verification of training effectiveness – so clearly define what the record is.

Inquiry

It could be as simple as asking the individual who was trained, “How do you think the training went?” – this could be coupled with a short “trip report” (or not). This does tend to have limitations in terms of when it can be used, however. It is well-suited to external trainings or trainings to executive or higher-end technical positions, though it likely can be adapted to any situation.

A Review of an External Certification

Specific to externally performed trainings where the attendee completes a course and is given a post-course test or other plausible evaluation. Again, records would be needed to show this.

At Employee Reviews

A bit tricky in practice since these reviews often take place once a year but it is quite a common solution. Works particularly well for procedure or work-instruction-based trainings.

Similar to the “review of ongoing process” method described above, this technique would predetermine  criteria for success; coupling training that has occurred over the period.

The rationale being that successful completion of tasks and assignments; the day-to-day job would indicate effective training. Again, defining this process in detail, including records, is key to success.

Note that claiming effective training through the lack of problems or defects is not the same thing, especially if no one is formally looking at metrics in the first place.

So, That’s five methods for evaluating training effectiveness to consider:

  • Testing
  • An on-going review of process metrics
  • Inquiry
  • A review of external certification
  • At employee reviews

There are certainly more, particularly software-driven solutions as part of an HRIS application (Human Resource Information Systems) – but typically these need a little coaxing to fit the need (and are generally expensive).

I’m quite interested in other methods you might know of.

In Search of Value

The key though, is that your methods of training effectiveness, whatever they are, give something back to the organization.

The whole point is that it is a waste of resource to take up someone’s time with a training that isn’t absorbed and incorporated into the position.

Question Everything

What is the training trying to accomplish? If it is training to a procedure or work instruction – is the document needed in the first place?

Is it actually a training? Sometimes what companies call “training” is really only a communication – there is a difference, even if subtle.  Typically a training teaches, while a communication informs – the distinction is up to the company to decide. It’s important to make that distinction since if it is training, the hoops come up (as I like to say). Training means evaluate training effectiveness; they go hand-in-hand.

If a process must be documented in order to ensure things go smoothly, then it is worth training people to follow that process. To ensure the training is valuable, ensure that the process is doing what it is supposed to be doing.

From the Top Down

The business is there for a reason; a policy is stated and goals and objectives support that policy.

People are hired with the needed competencies. When there is a gap between what they know coming into the organization and what they need to know to meet the goals and objectives – then training is needed.

Processes and documents are defined to realize the policy – these are often the things that must be learned. And when people know what they are doing – it all works according to plan.

It all points back to monitoring the processes, goals and objectives – this is the key to providing training that provides value. Verifying that the training does what it is supposed to do – evaluating training effectiveness – is simply protecting that investment in time and money.

 

Thanks for reading, I hope it helps – but don’t worry, it won’t be on the test.